Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance In VPC

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-023

Ensure that all your EC2 instances are deployed within the AWS EC2-VPC platform instead of EC2-Classic platform for better flexibility and control over security, traffic routing and availability.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Launching your EC2 instances using the EC2-VPC platform instead of EC2-Classic can bring several advantages such as better networking infrastructure (network isolation, Elastic Network Interfaces, subnets), much more flexible security controls (network ACLs, security groups outbound/egress filtering), access to newer and powerful instance types (C4, M4, T2, etc) and the capability to run instances on single-tenant hardware.


Audit

To determine the EC2 platform (EC2-Classic or EC2-VPC) used to launch your instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 On the EC2 console dashboard, in the Account Attributes upper-right section, check the EC2 Supported Platforms for your AWS account:

  1. If the Supported Platforms value is VPC, your account supports only the EC2-VPC platform and all your instances are launched within a Virtual Private Cloud (VPC) environment, therefore the platform checkup stops here.
  2. If the Supported Platforms status value is set to EC2 and VPC, your account supports both EC2-Classic and EC2-VPC platforms. To identify any instances launched using EC2-Classic, continue to the next step.

04 In the left navigation panel, under INSTANCES section, choose Instances.

05 Select the running EC2 instance that you want to examine.

06 Select the Description tab from the dashboard bottom panel.

07 In the left column, check the VPC ID parameter value. If VPC ID parameter has no value assigned, the selected EC2 instance was launched within the EC2-Classic platform and needs to be moved to the EC2-VPC platform. Cloud Conformity recommends migrating any running EC2-Classic instances to a VPC.

08 Repeat steps no. 5 – 7 to verify the EC2 platform used by other instances available in the current region.

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-account-attributes command (OSX/Linux/UNIX) to list the EC2 platforms currently supported by your AWS account:

aws ec2 describe-account-attributes
	--region us-east-1
	--attribute-names supported-platforms

02 The command output should return the name(s) of the EC2 platform used:

{
    "AccountAttributes": [
        {
            "AttributeName": "supported-platforms",
            "AttributeValues": [
                {
                    "AttributeValue": "EC2"
                },
                {
                    "AttributeValue": "VPC"
                }
            ]
        }
    ]
}

If the AttributeValues array returns only the VPC value, your account supports only the EC2-VPC platform and all your instances are launched within a VPC environment. If AttributeValues array returns both EC2 and VPC values (as shown in the output example above), your account supports both EC2-Classic and EC2-VPC platforms. To identify any EC2-Classic based instances, continue to the next step.

03 Run describe-instances command (OSX/Linux/UNIX) with appropriate filtering to list the IDs of the EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

04 The command output should return a table with the requested instance IDs:

-------------------
|DescribeInstances|
+-----------------+
|   i-c5834a73    |
|   i-a4c34a45    |
|   i-c4731a4f    |
+-----------------+

05 Run describe-instances command (OSX/Linux/UNIX) using each instance ID returned at the previous step and some basic filtering to determine whether the selected instance is running on the EC2-Classic or the EC2-VPC platform:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-c5834a73
	--query 'Reservations[*].Instances[*].VpcId'

06 The command output should return the VPC ID if the selected instance is running within a EC2-VPC environment and an empty array, i.e. [ ], if the instance is running on the EC2-Classic platform, as shown in the output example below:

[
    []
]

07 Repeat steps no. 5 and 6 to verify the EC2 platform used by other instances available in the current region.

08 Repeat steps no. 1 – 7 to repeat the process for the other AWS regions.

Remediation / Resolution

To migrate your EC2-Classic instances to a Virtual Private Cloud, you must recreate those instances in a VPC environment. To recreate the necessary instances, perform the following:

Note: As example, this guide will explain how to migrate a Linux EC2 instance from EC2-Classic platform to EC2-VPC within the same AWS region.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Create the Virtual Private Cloud (VPC) where the EC2-Classic instances will be migrated. To set up the VPC environment, perform the following actions:

  1. Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/. Make sure you create the VPC environment in the same AWS region with the EC2-Classic instances.
  2. In the Resources section, click Start VPC Wizard to initiate the setup process.
  3. Choose the VPC with a Single Public Subnet option then click the Select button.
  4. On the VPC with a Single Public Subnet configuration page, enter a name for your new Virtual Private Cloud in the VPC name box and leave the default configuration settings unchanged.
  5. Click Create VPC to set up your new VPC. Once the VPC is successfully created click OK to close the status window and return to the VPC dashboard.

03 Before recreate the EC2 instance, you need to copy the EC2-Classic instance security group to the newly created VPC. To migrate (copy) the necessary security group, perform the following:

  1. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the navigation panel, under NETWORK & SECURITY section, select Security Groups.
  3. Select the security group assigned to your EC2-Classic instance, click the Actions dropdown button and select Copy to new.
  4. In the Create Security Group dialog box, provide the following details:
    • In the Security group name box, enter a name for the new security group.
    • In the Description box, provide a description for new security group.
    • From the VPC dropdown list, select the VPC ID/name created at step no. 2.
    • Inside the Inbound tab review the inbound rules copied automatically by AWS, then click the Create button to create the security group.

04 Now it’s time to create an image from your EC2-Classic instance. The image is required to recreate the instance within your new VPC. To instantiate the Amazon Machine Image (AMI), perform the following:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2-Classic instance that you want to migrate (see the Audit section to identify any EC2-Classic instances available in the current region).
  3. Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
  4. Inside Create Image dialog box, provide the following information:
    • Enter a name for the new AMI in the Image Name box.
    • In the Image description box, provide a description that reflects the EC2-Classic instance selected.
    • Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.
  5. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The image creation process may take few minutes. Once the process is complete the AMI status should change from pending to available.

05 Once the AMI is ready, use it to launch the instance into the new VPC and recreate the EC2-Classic instance. To launch it, perform the following actions:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  3. On the Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 4.
  4. On the Choose an Instance Type page, select the instance type used by EC2-classic then click Next: Configure Instance Details button.
  5. On the Configure Instance Details page, select your VPC ID/name from the Network dropdown list and configure any other options such as IAM role, Monitoring and Shutdown Behavior based on your requirements. Click Next: Add Storage and go through the next pages until you reach the Configure Security Group page, without changing any configuration.
  6. On the Configure Security Groups, choose Select an existing security group and select the VPC security group recreated at step no. 3. Click the Review and Launch button, review your instance configuration details and click Launch.
  7. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the EC2-Classic instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  8. Click View Instances to return to the Instances page. The new instance will have the same data and system configuration as the existing EC2-Classic instance.

06 Transfer the Elastic IP (EIP) from the EC2-Classic instance to the EC2-VPC instance in order to reference the new instance. If the EC2-Classic instance does not have an EIP attached you will have to update the domain DNS record(s) to switch to the new instance IP. To transfer the Elastic IP, perform the following actions:

  1. In the navigation panel, under NETWORK & SECURITY section, select Elastic IPs.
  2. Select the EIP address attached to the EC2-Classic instance, click the Actions dropdown button then select Disassociate Address.
  3. In the Disassociate Address dialog box, review the details then click Yes, Disassociate.
  4. Select the same address, disassociated in the previous step, click the Actions dropdown button then select Associate Address.
  5. In the Associate Address dialog box, select the EC2 instance recreated at step no. 5 from Instance dropdown list then click Associate to attach the EIP.

07 Once you've verified that your new EC2 instance is working 100% within the VPC environment, shut down/terminate the EC2-Classic instance to stop incurring charges for this resource. To terminate the EC2-Classic instance, perform the following:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2-Classic instance that you want to shut down.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

Using AWS CLI

01 Run create-image command (OSX/Linux/UNIX) to create an image from your EC2-Classic instance. This AMI is required to recreate the EC2 instance within a VPC. Include the –no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-c5834a73
	--name "EC2-Classic Instance Image"
	--description "Web App LAMP Stack AMI ver. 2.1"
	--no-reboot

02 The command output should return the new Amazon Machine Image (AMI) ID:

{
    "ImageId": "ami-d51eg45f"
}

03 Run create-vpc command (OSX/Linux/UNIX) to create the new Virtual Private Cloud (VPC) where the EC2 instance will be recreated. The following command example creates a shared tenancy VPC with the CIDR block 10.0.0.0/16:

aws ec2 create-vpc
	--region us-east-1
	--cidr-block 10.0.0.0/16

04 The command output should return the new VPC metadata (including the VPC ID):

{
    "Vpc": {
        "VpcId": "vpc-e24e9385",
        "InstanceTenancy": "default",
        "State": "pending",
        "DhcpOptionsId": "dopt-ebe9188f",
        "CidrBlock": "10.0.0.0/16",
        "IsDefault": false
    }
}

05 Run create-internet-gateway command (OSX/Linux/UNIX) to create an AWS Internet Gateway for use with the newly created VPC (required):

aws ec2 create-internet-gateway
	--region us-east-1

06 The command output should return the Internet Gateway metadata (including its ID):

{
    "InternetGateway": {
        "Tags": [],
        "InternetGatewayId": "igw-40490c24",
        "Attachments": []
    }
}

07 Run attach-internet-gateway command (OSX/Linux/UNIX) to attach the new Internet Gateway to your VPC created at step no. 3 (no output is returned):

aws ec2 attach-internet-gateway
	--region us-east-1
	--internet-gateway-id igw-40490c24
	--vpc-id vpc-e24e9385

08 Now run create-subnet command (OSX/Linux/UNIX) to set up a subnet for the existing VPC. The EC2 instance will be launched within this subnet (required):

aws ec2 create-subnet
	--region us-east-1
	--vpc-id vpc-e24e9385
	--cidr-block 10.0.1.0/24

09 The command output should return the subnet metadata (including the subnet ID):

{
    "Subnet": {
        "VpcId": "vpc-e24e9385",
        "CidrBlock": "10.0.1.0/24",
        "State": "pending",
        "AvailabilityZone": "us-east-1b",
        "SubnetId": "subnet-af2969f7",
    }
}

10 Run create-route-table command (OSX/Linux/UNIX) to create a route table for your new VPC (required):

aws ec2 create-route-table
	--region us-east-1
	--vpc-id vpc-e24e9385

11 The command output should return the VPC route table metadata (including its ID - highlighted):

{
    "RouteTable": {
        "Associations": [],
        "RouteTableId": "rtb-41411826",
        "VpcId": "vpc-e24e9385",
        "PropagatingVgws": [],
        "Tags": [],
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "10.0.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ]
    }
}

12 Run associate-route-table command (OSX/Linux/UNIX) to associate the VPC subnet created at step no. 8 with the new route table (required):

aws ec2 associate-route-table
	--region us-east-1
	--route-table-id rtb-41411826
	--subnet-id subnet-af2969f7

13 The command output should return the VPC route table association ID:

{
    "AssociationId": "rtbassoc-dcf461ba"
}

14 Run create-route command (OSX/Linux/UNIX) to add a new route within the VPC route table installed earlier (required):

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-41411826
	--destination-cidr-block 0.0.0.0/0
	--gateway-id igw-40490c24

15 The command output should return the status of route request (true for success, an error message if the request fails):

{
    "Return": true
}

16 Now that the VPC is installed and configured, you need create the EC2 instance dependencies – the 2048-bit RSA key pair and the necessary security group:

  1. Run create-key-pair command (OSX/Linux/UNIX) to set up a new RSA key pair in the selected AWS region:
    aws ec2 create-key-pair
    	--region us-east-1
    	--key-name MyEC2KeyPair
    
  2. The command output should return the ASCII version of the private key and the key fingerprint. Save the content of your key, listed as the KeyMaterial parameter value, in a .pem file, in a safe location your machine:
    {
        "KeyMaterial": "-BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY-",
        "KeyName": "MyKeyPair",
        "KeyFingerprint": "de:45:92:4a:5a:06:21 ... cc:22:0f:0e:c9:g4:8d"
    }
    
  3. Run create-security-group command (OSX/Linux/UNIX) to set up a security group within the VPC created at step no. 3. The following command example creates a security group called MyEC2SecurityGroup inside the VPC identified with the ID vpc-e24e9385, within the US East AWS region:
    aws ec2 create-security-group
    	--region us-east-1
    	--group-name MyEC2SecurityGroup
    	--description "My EC2 Security Group"
    	--vpc-id vpc-e24e9385
    
  4. The command output should return the new security group ID:
    {
        "GroupId": "sg-5128922a"
    }
    
  5. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add one or more inbound rules to the security group created at the previous step (no command output is returned):
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-id sg-5128922a
    	--protocol tcp
    	--port 80
    	--cidr 0.0.0.0/0
    

17 Run run-instances command (OSX/Linux/UNIX) to launch the EC2 instance from the image created at step no. 1. The following command example recreates an EC2-Classic instance (m3.medium) using an AMI with the ID ami-d51eg45f, the RSA key pair and the security group created at step no 16, within the US East AWS region:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-d51eg45f
	--count 1
	--instance-type m3.medium
	--key-name MyEC2KeyPair
	--security-groups MyEC2SecurityGroup

18 The command output should return the new EC2 instance configuration metadata:

{
    "OwnerId": "565392585563",
    "ReservationId": "r-04487b8359ad966gd",
    "Groups": [],
    "Instances": [
        {
            ...
            "EbsOptimized": false,
            "LaunchTime": "2016-06-02T17:40:21.000Z",
            "PrivateIpAddress": "172.51.20.190",
            "VpcId": "vpc-e24e9385",
            "StateTransitionReason": "",
            "InstanceId": "i-004c1c5834a73e6la",
            ...
        }
    ]
}

19 Now transfer the Elastic IP from the EC2-Classic instance to the EC2-VPC instance to reference the new instance. To transfer the Elastic IP, perform the following commands:

  1. Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the EC2-Classic instance:
    aws ec2 disassociate-address
    	--region us-east-1
    	--public-ip 52.204.45.197
    
  2. Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2-VPC instance:
    aws ec2 associate-address
    	--instance-id i-004c1c5834a73e6la
    	--allocation-id eipalloc-54dfe90d
    

20 Once you've verified that your new EC2 instance is working 100% within the VPC environment, you should terminate the EC2-Classic instance to stop incurring charges for the resource. To terminate the EC2-Classic instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances
	--instance-ids i-c5834a73

21 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-c5834a73",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

References

Publication date Jun 3, 2016